Guides
Log In
Guides

How to Create a Password Policy

Suggest Edits

Password policies set the baseline standards for user passwords to enhance login security. This article will guide you through the process of creating a password policy in the Cyolo Application Portal and applying it to a local identity provider profile.

Prerequisites

Before you begin, ensure you have the following:

Admin Access: You must have administrator privileges to create and manage password policies.

Configuration

Step 1: Create a Password Policy

The Password Policies page has a default policy with constraints auto-filled. This policy cannot be edited or deleted.

  1. Log in to the Cyolo admin portal.
  2. Navigate to the Policies > Password Policies page.
  3. Click Create new policy to add a new password policy.
  4. On the new page, enter the following information:
    a. Name: Enter a descriptive name for the password policy.
    b. Description: Provide additional information about the policy.
    c. Expiration (days) - Enter a number between 1 and 9999. Setting 0 days would mean the password never expires. The default is 90 days.
    d. Minimum password Length - The minimum is 8 characters and maximum is 64 characters. The default is 8 characters.
    e. Number of previous passwords that cannot be reused - The minimum is 0 and maximum is 12 previous passwords. Setting this field to 0 would mean that a password cannot be re-used. The default is 4 passwords.
    f. Characters Complexity - From the drop-down menu, select which among the four complexity options must be applied to the password. The default is set to 3 out of 4.
    1. At least 1 uppercase letter (A-Z)
    2. At least 1 lowercase letter (a-z)
    3. At least 1 number (0-9)
    4. At least 1 symbol (@#$!...)
      g. Additional Settings
      Prohibit most common dictionary passwords - Enable this checkbox to prohibit the use of commonly used passwords, such as “123456” or “password”.
      h. Click Add to save the new password policy.

Step 2: Apply the Password Policy to a Local Identity Provider

To enforce the newly created policy, it must be associated with a local identity provider.

  1. Navigate to the Integrations > Identity Providers page.
  2. By default, local is selected under Available identity providers with the password policy set to default. Select local and click the Edit button.

  1. In the Edit Profile section, select the custom password policy you created from the drop-down menu.

  2. Allow users to reset their own password: Enabling this option would allow end-users to reset their own password. This option is disabled by default.

  3. Accept legal documentation: This option displays the legal document of corporate policy. The document must have been uploaded to the Configuration > Branding page for this option to work. This option is disabled by default.

  4. MFA provider: Click the drop-down menu to select the MFA provider. By default, Cyolo is selected. For an external MFA provider to be listed here, the external provider must have been created on the Integrations > MFA Providers page. Selecting None would not prompt the user for MFA. However, if MFA is enabled on either the Configurations > Global Settings page or in Conditions profiles on the Policies > Conditions page, setting this option to None would effectively block users requiring MFA to access resources.

  5. Available MFA methods: This option is displayed only when Cyolo is selected above. Enable the options below to set the methods by which MFA is performed. By default, all the checkboxes are enabled.
    a. Scan QR code
    b. Provide phone number
    c. Provide email address

  6. Editing sign-in methods:
    a. Allow users change their sign-in methods: Enabling this option would allow end-users to change their sign-in method. This option is displayed only when Cyolo is selected above.

  7. Additional settings:
    a. Users can change their personal details: Enable this option if you want end-users to be able to change their personal details on the Cyolo Application Portal.

  8. Click Save to save the changes.

By following these steps, you can create a password policy with specific constraints and apply it to a local identity provider profile, ensuring that user passwords meet your organization's security requirements.

Additional Notes

  • Password Complexity: Ensure that your password policy enforces strong password practices to prevent unauthorized access.
  • Regular Updates: Periodically review and update password policies to adapt to new security challenges and standards.
  • User Training: Educate users on the importance of strong passwords and the specific requirements of your password policy.

Updated 3 days ago